Follow us on Twitter!
Ideas are far more powerful than guns.
Wednesday, April 16, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 9
Guests Online: 9
Members Online: 0

Registered Members: 82800
Newest Member: santana1744
Latest Articles

Steganography 22

Arrow Image An article on Steg22.

Hello everyone, if you are here that means you are stuck about how to attack this challenge. For this challenge, you will need to read up on JPEG header information and how to convert decimal numbers to hexadecimal numbers. In this article, you will learn a little about JPEG headers and how to look at this challenge Outside the box.

JPEG headers are the main construct of the image. They carry all the information about the image. When you open an image into a viewer it first loads these headers which are triggered by viewing markers. The first marker is called SOI, or Start of Image, marker. This marker tells the rendering application that it is a JPEG image and it is a standard image that can be read by any platform. This marker is shown as JFIF. After the SOI marker is read, a series of other markers follow; the header information. Each header holds a specific attribute of the image and is immediately followed by two bytes to set the length of the headers’ information. A marker is starts off with the hexadecimal FF. Here is a basic outline of what image headers look like.

-- Copied, not my own layout! --

Start of Image (SOI) marker -- two bytes (FFD8)
JFIF marker (FFE0)

• length -- two bytes
• identifier -- five bytes: 4A, 46, 49, 46, 00 (the ASCII code equivalent of a zero terminated "JFIF" string)
• version -- two bytes: often 01, 02
o the most significant byte is used for major revisions
o the least significant byte for minor revisions
• units -- one byte: Units for the X and Y densities
o 0 => no units, X and Y specify the pixel aspect ratio
o 1 => X and Y are dots per inch
o 2 => X and Y are dots per cm
• Xdensity -- two bytes
• Ydensity -- two bytes
• Xthumbnail -- one byte: 0 = no thumbnail
• Ythumbnail -- one byte: 0 = no thumbnail
• (RGB)n -- 3n bytes: packed (24-bit) RGB values for the thumbnail pixels, n = Xthumbnail * Ythumbnail
Define Quantization table marker (FFDB)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains
• until the length is exhausted (loads two quantization tables for baseline JPEG)
o the precision and the quantization table index -- one byte: precision is specified by the higher four bits and index is specified by the lower four bits
 precision in this case is either 0 or 1 and indicates the precision of the quantized values; 8-bit (baseline) for 0 and up to 16-bit for 1
o the quantization values -- 64 bytes
 the quantization tables are stored in zigzag format
Define Huffman table marker (FFC4)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains
• until length is exhausted (usually four Huffman tables)
o index -- one byte: if >15 (i.e. 0x10 or more) then an AC table, otherwise a DC table
o bits -- 16 bytes
o Huffman values -- # of bytes = the sum of the previous 16 bytes
Start of frame marker (FFC0)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains
• P -- one byte: sample precision in bits (usually 8, for baseline JPEG)
• Y -- two bytes
• X -- two bytes
• Nf -- one byte: the number of components in the image
o 3 for color baseline JPEG images
o 1 for grayscale baseline JPEG images
• Nf times:
o Component ID -- one byte
o H and V sampling factors -- one byte: H is first four bits and V is second four bits
o Quantization table number-- one byte
The H and V sampling factors dictate the final size of the component they are associated with. For instance, the color space defaults to YCbCr and the H and V sampling factors for each component, Y, Cb, and Cr, default to 2, 1, and 1, respectively (2 for both H and V of the Y component, etc.) in the Jpeg-6a library by the Independent Jpeg Group. While this does mean that the Y component will be twice the size of the other two components--giving it a higher resolution, the lower resolution components are quartered in size during compression in order to achieve this difference. Thus, the Cb and Cr components must be quadrupled in size during decompression.
Start of Scan marker (FFDA)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains
• Number of components, n -- one byte: the number of components in this scan
• n times:
o Component ID -- one byte
o DC and AC table numbers -- one byte: DC # is first four bits and AC # is last four bits
• Ss -- one byte
• Se -- one byte
• Ah and Al -- one byte
Comment marker (FFFE)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains
• whatever the user wants
End of Image (EOI) marker (FFD9)

• the very last marker
(Taken from James R. Weeks : )
-- End of Copy --

Now that you have a basic understanding on how a JPEG image is rendered you can start thinking on how Steg22 can be withholding or providing information.

For the final part you need to “think Outside the box”. Think on that for a bit it will come to you. Once you figure out that little riddle, congrats!

I would like to thank System_Meltdown for pointing me in the right direction for this challenge. Without his knowledge I would still be lost.

*edited due to spoilers - elmiguel*


454447415244on October 09 2009 - 15:44:36
*sight. Too much spoilers. You'd rather give them the answer lol. Anyways, it was a good informative article about JPEG image header.
korgon October 09 2009 - 20:42:25
Not too many spoilers, At least not in my opinion. Hell I haven't got it yet and I've had this article for a month. Angry
f16e7on October 09 2009 - 21:24:07
You have? Then why wasn't this published sooner?
454447415244on October 10 2009 - 00:45:34
@korg, when you solve this challenge you will know then why I said this. BTW, me and system_meltdown think that this article should be edited so I contacted elmiguel.
korgon October 10 2009 - 03:10:31
If you contacted system, He could have edited this himself. If you think something is a spoiler Pm me and I will edit it. I don't see anything but info that is readily available about a Jpeg image. @Spy I didn't want it out too soon. Again if something is out of line let me know.
Mouzion October 12 2009 - 11:35:19
The rest of the article makes it sound like it has nothing to do with JPEG headers and is just some HEX joke/wordplay and not appliable as stegano for any information like 19 was. I don't know if that's the case but just made it sound like that. If it was just a technical stegano with JPEG headers what's the need for riddles and "find and replace all" which usually has unpredictable results.
elmiguelon October 12 2009 - 16:38:11
Edited. Hope that its all good now.
korgon October 19 2009 - 03:02:13
@Moshbat pen test 2 was a joke, Doesn't need spoilers there already there.
korgon November 01 2009 - 01:50:26
This article is no help in finishing the challenge. I did it and NOTHING in here helps or pertains to the challenge. Might just delete this so people aren't mislead.
midoon December 06 2009 - 20:07:02
Dude, you could have just posted a link to the web page, duh.
4rm4g3dd0non May 12 2010 - 17:23:45
well whatever spoilders there were are gone now so all i can say is my head hurts looks like alien triginometry what the hell are you talking about
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.